Linux

Debian

For our servers we’re using minimal Debian Linux installations.

Setup Debian

The setup of new Debian servers (bare-metal & virtual machines) is automated like so:

  1. The machine is started

  2. A Debian ISO is mounted, and the installation is started with the «Automated install» mode

  3. One of our Preseed configs is used to setup the machine on a DHCP IP

  4. When the minimal setup is finished, the Ansible initialise.yml playbook will finish the configuration

  5. The machine is rebooted with the correct (network) configuration

Hint

Bare-metal servers have to be booted into Debian’s «Automated install» manually, while virtual machines can be created, and booted into «Automated install» via the Ansible vm_create.yml playbook automatically.

See also

Check out the Proxmox documentation, esp. the Manage virtual machines chapter, on how to manage virtual machines after they’ve been installed.

To learn more about automated Debian installations, check out the official «Automating the installation using preseeding» docs.

Update Debian

Debian updates, as well as reboots, are mostly automated:

Hint

For the timing, check out the Scheduled jobs.

Debian hardening

The hardening of our Debian servers is achieved like this:

  1. We’re only installing a minimal Debian Linux via Expert install

  2. We’re installing all updates automatically

  3. Different Ansible roles ensure everything is hardened

The different Ansible roles are:

  • apparmor: AppArmor kernel security

  • docker: Enforces Docker containers to run in user namespaces

  • firewall: A hardened nftables Firewall

  • root: Enforces a strong & secure root password

  • ssh: Enforces strong ciphers, and prohibits password & root logins

  • sudo: Enforces privilege escalation via sudo for selected users

  • sysctl: Hardening for a lot of different kernel options

  • users: Enforces secure permissions & SSH keys, and prohibits passwords